Commit 6aaac006af modified the
pmksa_cache_init() prototype, but forgot to update the empty wrapper
function which is used when PMKSA caching is not included in the build.
Signed-hostap: Jouni Malinen <j@w1.fi>
Replace CONFIG_IEEE80211V with CONFIG_WNM to get more consistent build
options for WNM-Sleep Mode operations. Previously it was possible to
define CONFIG_IEEE80211V without CONFIG_WNM which would break the build.
In addition, IEEE 802.11v has been merged into IEEE Std 802.11-2012 and
WNM is a better term to use for this new functionality anyway.
Signed-hostap: Jouni Malinen <j@w1.fi>
These fields do not use AES keywrap. Instead, they are protected with
management frame protection (and not included if PMF is disabled).
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Expiry can always trigger a deauthentication, but otherwise,
deauthentication should only happen when the *current* cache entry is
removed and not being replaced. It should not happen when the current
PMK just happens to match the PMK of the entry being removed, since
multiple entries can have the same PMK when OKC is used and these
entries are often removed at different times.
This fixes an issue where eviction of the oldest inactive entry due to
adding a newer entry to a full cache caused a deauthentication when the
entry being removed had the same PMK as the current entry.
Signed-hostap: Dan Williams <dcbw@redhat.com>
Add pmf=1/2 to wpa_supplicant STATUS command output to indicate that PMF
was negotiated for the connect (1 = optional in this BSS, 2 = required
in this BSS).
Signed-hostap: Jouni Malinen <j@w1.fi>
This function is now unused after the last couple of commits that
removed the last uses, so remove this to keep code simpler since all
places that disassociate, can use deauthentication instead.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Even though the standard currently describes disassociation to be used
for RSN element mismatch between Beacon/Probe Response frames and
EAPOL-Key msg 3/4, this is unnecessary difference from other cases that
deauthenticate. In addition, there is no point in leaving the 802.11
Authentication in place in this case. To keep things simpler, use
deauthentication here to get rid of the only use of
wpa_sm_disassociate().
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
These values are used with WAPI and CCX and reserving the definitions
here reduces the number of merge conflicts with repositories that
include these functions.
Signed-hostap: Jouni Malinen <j@w1.fi>
This introduces new AKM for SAE and FT-SAE and adds the initial parts
for going through the SAE Authentication frame exchange. The actual SAE
algorithm and new fields in Authentication frames are not yet included
in this commit and will be added separately. This version is able to
complete a dummy authentication with the correct authentication
algorithm and transaction values to allow cfg80211/mac80211 drivers to
be tested (all the missing parts can be handled with
hostapd/wpa_supplicant changes).
Signed-hostap: Jouni Malinen <j@w1.fi>
Try to share most of the cipher information like key and RSC lengths and
suite selector conversions, etc. in wpa_common.c to avoid having similar
code throughout the WPA implementation for handling cipher specific
behavior.
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows both hostapd and wpa_supplicant to be used to derive and
configure keys for GCMP. This is quite similar to CCMP key
configuration, but a different cipher suite and somewhat different rules
are used in cipher selection. It should be noted that GCMP is not
included in default parameters at least for now, so explicit
pairwise/group configuration is needed to enable it. This may change in
the future to allow GCMP to be selected automatically in cases where
CCMP could have been used.
This commit does not included changes to WPS or P2P to allow GCMP to be
used.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
cur_pmksa was left to NULL during the initial association. This can
result in unexpected behavior, e.g., in expiring PMKSA cache entries
since the current entry is not locked in that case. Fix this by updated
cur_pmksa when adding the initial PMKSA entry during msg 1/4 processing.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
If the PMKSA cache is full (i.e., 32 candidates have been seen in scan
results and have not yet expired) then any additional entries can
potentially evict the current/active entry (if it is the oldest entry),
which triggers a pointless local deauthentication. The supplicant
shouldn't replace the current/active entry if it is still valid, but
instead the oldest entry that is *not* the current/active one.
Signed-hostap: Dan Williams <dcbw@redhat.com>
intended-for: hostap-1
Remove the GPL notification text from files that were initially
contributed by Atheros Communications or Qualcomm Atheros.
Signed-hostap: Jouni Malinen <j@w1.fi>
In case of !defined(IEEE8021X_EAPOL) the definition of the stub
pmksa_cache_get() in rsn_supp/pmksa_cache.h is not correct. This patch
adds the missing argument to the function definition to fix a
regression from commit 96efeeb66b.
Signed-hostap: Antonio Quartulli <ordex@autistici.org>
When looking for PMKSA cache entries to use with a new association, only
accept entries created with the same network block that was used to
create the cache entry.
Signed-hostap: Jouni Malinen <j@w1.fi>
This makes it clearer that the PMKSA caching entry gets removed from
the driver regardless of how the internal entry from wpa_supplicant
gets cleared. In practice, this call was skipped only for the case
when the entry for the current AP was being updated, so the previous
version was likely to work with all drivers. Anyway, it is cleaner
to explicitly remove the old entry even in that case before the new
entry gets added.
Signed-hostap: Jouni Malinen <j@w1.fi>
TPK will be needed to be able to generate FTIE MIC for the
teardown message, so maintain peer data for a bit longer in
case the teardown FTIE request comes back from the driver.
Use the wpa_tdls_add_peer function to allocate TDLS peer structures.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: Kalyan C Gaddam <chakkal@iit.edu>
Use capability information to decide whether to perform a given TDLS
operation internally or through mgmt-frame Tx.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: Kalyan C Gaddam <chakkal@iit.edu>
Before commencing setup, add a new STA entry to the driver representing
the peer. Later during setup, update the STA entry using information
received from the peer.
Extend sta_add() callback for adding/modifying a TDLS peer entry and
connect it to the TDLS state machine. Implement this callback for the
nl80211 driver and send peer information to kernel.
Mark TDLS peer entries with a new flag and translate it to a
corresponding nl80211 flag in the nl80211 driver.
In addition, correct TDLS related documentation in the wpa_driver_ops
structure.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: Kalyan C Gaddam <chakkal@iit.edu>
Record the capabilities and supported rates of the TDLS peer during
link setup. These are given in the IEs passed in Setup Request and
Setup Response frames.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: Kalyan C Gaddam <chakkal@iit.edu>
Disable the direct connection when a TDLS peer stops responding
to packets, as indicated by the "LOW ACK" event coming from a driver.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: Kalyan C Gaddam <chakkal@iit.edu>
Allow sending a TDLS discovery request as a frame through the driver.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: Kalyan C Gaddam <chakkal@iit.edu>
When a driver does not implement the TDLS_TEARDOWN operation internally,
send an explicit TDLS link teardown frame to the driver.
Change all teardown calls to use these calling semantics.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: Kalyan C Gaddam <chakkal@iit.edu>
When a discovery request is received, add the peer to the TDLS peer
cache and send a response containing minimal data. Mandatory IEs in
the discovery response frame will be filled out by the driver.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: Kalyan C Gaddam <chakkal@iit.edu>
Put glue code in place to propagate TDLS related driver capabilities to
the TDLS state machine.
If the driver doesn't support capabilities, assume TDLS is supported
internally.
When TDLS is explicitly not supported, disable all user facing TDLS
operations.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: Kalyan C Gaddam <chakkal@iit.edu>
A zero dialog-token is considered invalid by IEEE Std 802.11z-2010.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: Kalyan C Gaddam <chakkal@iit.edu>
Whenever PMK gets changed (e.g., due to re-authentication), all PMKSA
caching entries that were created using the previous PMK needs to be
replaced. Previously, only the entry for the current AP was cleared.
Flush the other entries based on network_ctx matches to get rid of the
OKC entries. These entries can then be re-creating using OKC with the
new PMK.
If a network configuration block is removed or modified, flush
all PMKSA cache entries that were created using that network
configuration. Similarly, invalidate EAP state (fast re-auth).
The special case for OKC on wpa_supplicant reconfiguration
(network_ctx pointer change) is now addressed as part of the
PMKSA cache flushing, so it does not need a separate mechanism
for clearing the network_ctx values in the PMKSA cache.
If the driver maintains its own copy of the PMKSA cache, we need to
clear an entry from the driver whenever wpa_supplicant is dropping
an old PMKSA cache entry.
Reassociation Request/Response frame validation need to count all IEs in
the RIC. In addition, TIE is not protected, so it should not be included
in the count.
Signed-off-by: Hong Wu <hong.wu@dspg.com>
Add support to wpa_supplicant for device-based GTK rekeying. In order to
support that, pass the KEK, KCK, and replay counter to the driver, and
handle rekey events that update the latter.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>